from the terrorism-is-just-things-we-don't-fully-comprehend dept

Jeremy Hammond -- a member of various Anonymous offshoots -- had the misfortune of being prosecuted in the United States. While his UK accomplices in the Stratfor hack were sentenced to 1-3 years, Hammond received a 10-year sentence (along with three years of supervised release) for his participation. The length of Hammond's sentence was mainly due to the CFAA (Computer Fraud and Abuse Act) being a horribly-written law (and there's a possibility it will get much worse in the future), and the FBI's willingness to toss the hacktivist under the bus for the sins of Anonymous, while glossing over the fact that it was an FBI informant (Hector Monsegur, aka Sabu) who handed out hacking targets to Hammond.

A leaked document originating from the New York State Division of Criminal Justice Services (DCJS) reveals that Hammond was considered a "possible terrorist organization member," and indicates that he was placed on the multi-agency Terrorist Screening Database (TSDB), alongside individuals suspected of ties to Al Qaeda, Somalia-based extremists al-Shabaab, and Colombia's leftist FARC guerilla movement.

Here's the pertinent information is all of its teletyped glory:

The document also includes Hammond's rap sheet, which up to that point, only includes fraud and unauthorized computer access related to the theft of credit card information from a conservative website. What it doesn't include is anything that might justify his addition to the terrorist watchlist -- unless the FBI considers protests to be a terrorist activity.

Of course, the government agencies that have the power to place US citizens on terrorist watchlists don't seem interested in providing justification for their decisions. Just having a vague sense of unease seems to be all the "evidence" any agent/official needs to declare a person a threat to this country. Nearly 40% of those currently on the government's terrorist watchlist have "no known affiliation to recognized terrorist groups."

The government has long shown it doesn't understand hacking and is no fan of activism -- generally viewing both activities as some sort of threat. So, on the watchlist Hammond went, something that presumably played a part in the prosecution's push for a decade-long sentence for the hacktivist. His actions and motives were often far from pure, but his imprisonment appears to be a result of the FBI throwing an unwitting operative onto the judicial scrapheap before moving onto its next sting operation.

from the wag-that-dog dept

Last week, as you may have heard, the Justice Department breathlessly announced that it had uncovered and broken up a terrorist plot against the government, leading to the arrest of a 20 year-old man, Christopher Lee Cornell, in Ohio. According to the FBI, Cornell was planning to go to the US Capitol and kill government officials. As often happens with these kinds of announcements, the press was quick to jump in and fuel the narrative of some big terror plot that the FBI was able to miraculously disrupt at the last minute.

For years now, we've pointed out a pattern of how nearly every big headline about the US disrupting a domestic terrorist attack was almost always about the FBI creating its very own plot, and then pressuring and cajoling some vulnerable, poverty-stricken, desperate Muslim (almost always Muslim) young men into "joining" this plot. This happens despite those individuals rarely having expressed direct interest in any sort of terrorist activity, or having any connections or means to carry out such activity. But with continued pressure from "FBI informants" (who tend to either by paid by the FBI or are trying to reduce punishment for other crimes they've been charged with -- or both), eventually these men agree to take part in a "plot" that was entirely designed by the FBI and had no chance of ever happening. We've written about similar occurrences over and over and over and over and over and over and over and over and over and over and over and over again.

The alleged would-be terrorist is 20-year-old Christopher Cornell, who is unemployed, lives at home, spends most of his time playing video games in his bedroom, still addresses his mother as “Mommy” and regards his cat as his best friend; he was described as “a typical student” and “quiet but not overly reserved” by the principal of the local high school he graduated in 2012.

Not only did he just convert to Islam a few months ago (and there's no indication that he ever actually attended the mosque that he claimed to have joined), but the details of the overall story certainly match the pattern of an FBI made up plot:

The affidavit filed by an FBI investigative agent alleges Cornell had “posted comments and information supportive of [ISIS] through Twitter accounts.” The FBI learned about Cornell from an unnamed informant who, as the FBI put it, “began cooperating with the FBI in order to obtain favorable treatment with respect to his criminal exposure on an unrelated case.” Acting under the FBI’s direction, the informant arranged two in-person meetings with Cornell where they allegedly discussed an attack on the Capitol, and the FBI says it arrested Cornell to prevent him from carrying out the attack.

For someone supposedly plotting a terrorist attack, Cornell didn't seem particularly subtle. The affidavit notes that Cornell first came to their attention because of his tweets in support of ISIS. Then the informant reached out to him and began pushing the plot.

Yet, it's not just the mainstream press that is exaggerating this story. Speaker of the House John Boehner wasted little time in claiming that Cornell was only discovered because of "the FISA program."

“The first thing that strikes me is that we would’ve never known about this had it not been for the FISA program and our ability to collect information for people who pose an imminent threat.”

Except, uh, no. The dude was posting on a public Twitter feed and then had a government informant reach out to him. It doesn't look like anyone needed any particular "FISA program." Thankfully, at least some reporters quickly called bullshit on this, noting that the facts of the case don't at all match up with a situation in which any sort of FISA-approved surveillance effort was needed.

Instead, it seems clear that this is just blatant and cynical fear-mongering by John Boehner in the lead-up to the fight to renew certain provisions of the PATRIOT Act, including Section 215, which is the program under which the NSA and FBI get bulk phone records from phone companies (and, most likely, other bulk records). As Julian Sanchez points out in the link above, there seems to be no reason to have used data collected under Section 215 in this case:

According to the criminal complaint, it was an informant hoping to reduce his own criminal sentence who brought Cornell to the Bureau’s attention. Nor, indeed, was Cornell particularly subtle: Under the Twitter handle ISBlackFlags, he pseudonymously voiced support for the Islamic State and violent jihad. If that’s true, then while it would hardly be surprising if Cornell’s phone records were reviewed at some point in the investigation, it’s hard to see how a bulk telephone database could have been essential to identifying him. Once Cornell had been identified, of course, traditional targeted intelligence or law enforcement authorities would have been sufficient to allow investigators access to his metadata—or, for that matter, his online communications.

But, knowing that the fight over renewing Section 215 is going to be a big deal later this year, it appears that Boehner used this as a bogus excuse to start laying the groundwork for such an approval. Remember, that multiple groups -- including the White House's own review board and the government's Privacy and Civil Liberties Oversight Board -- couldn't find any evidence that the 215 program was necessary in stopping a single domestic terrorist attack. The only case that it was really involved in was a guy in California sending some money back to Somalia.

When the fight to renew 215 really ramps up, this lack of a success story is likely to come up. And, thus, it appears that the supporters of the surveillance state are desperately in need of some "success stories" for the 215 program, and Boehner seems to have rushed out and grabbed the first available one and he's going to milk it for all its worth.

“I’m going to say this one more time because you’re going to hear about it for months and months to come as we attempt to reauthorize the FISA program: Our government does not spy on Americans — unless they are Americans who are doing things that frankly tip off our law enforcement officials to an imminent threat. It was our law enforcement officials and those programs that helped us stop this person before he committed a heinous crime in our nation’s capital.”

Except, no, it wasn't. This sounds like yet another of the government self-built plots that had no chance of ever taking off, and the only reason Cornell, a homebound videogame player who calls his mother "Mommy," got involved was because he was a gullible, disenchanted kid who spouted off some stupid statements on Twitter, making him easy prey.

from the and-yet,-everyone-seems-to-be-calling-for-less dept

Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won't be able to catch criminals if it can't immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don't have access to "every means of communication."

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

[...]

The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

This document comes from The Guardian's stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA's own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner).

But this recommendation doesn't come from an outside source. It's an intelligence council that reports directly to the head of national intelligence. And yet, the word didn't spread very far. The NSA isn't thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same "problem." Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo.

And it's not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”....

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their
own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks.

You can't make a nation safer by destroying its safety features. There's a bigger picture that these agencies refuse to see -- even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation's cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn't them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency's notice.

And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we'll all have to do without.

from the because-of-course dept

It's no secret that the FBI and the NSA often work hand in hand in surveillance activities. As we've discussed before, it's actually the DOJ/FBI who goes to the FISA Court to put in the NSA's requests to collect all your data. However, thanks to a FOIA lawsuit filed by the NY Times, a Justice Department Inspector's General report from 2012 has been revealed (with significant black ink blocking out the juicy parts, of course) that reveals that beyond being the NSA's FISA Court gopher, the FBI has been dipping its hands into the data pot as well:

In 2008, according to the report, the F.B.I. assumed the power to review email accounts the N.S.A. wanted to collect through the “Prism” system, which collects emails of foreigners from providers like Yahoo and Google. The bureau’s top lawyer, Valerie E. Caproni, who is now a Federal District Court judge, developed procedures to make sure no such accounts belonged to Americans.

Then, in October 2009, the F.B.I. started retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. And in April 2012, the bureau began nominating new email accounts and phone numbers belonging to foreigners for collection, including through the N.S.A.’s “upstream” system, which collects communications transiting network switches.

Now, remember, just a few months ago it was revealed that the NSA, CIA and FBI all freely search this treasure trove of info -- and the FBI admitted that it uses it so often that it does not even track how often it has done queries on that data concerning "US person identifiers." So even though the entire point of Section 702 of the FISA Amendments Act was to set up procedures for "targeting certain persons outside the United States other than United States persons," the FBI has basically thrown it wide open so that it can use it basically however it wants. And, the FBI doesn't then track how it uses that info, because the less of a paper trail, the better, apparently.

As the report notes, basically, if the FISA Court said the NSA could have it (supposedly only for non-US persons), the FBI got its own damn copy to hang onto. Just because.

If you can't read that, it notes:

On October 14, 2009, the FBI began to request that a portion of the raw 702-acquired data also be "dual routed" to the FBI so that it could retain this data for analysis and dissemination in intelligence reports.

As for the FBI starting to choose its own emails and phone numbers to snoop on, the details there involve a whole hell of a lot of black ink redacting the details, but it does note that:

The FBI plans to greatly expand its role in the 702 Program this year by nominating selectors for Section 702 Coverage. Because the nominations program was still being formulated during our review period, the OIG was unable to review these proposed activities in depth for this report. However, in Chapters Three and Four we identify certain FBI policies and practices under the 702 Program that may be affected by the nominations initiative, and thus briefly summarize the nominations proposal below.

This is followed by a paragraph and a half of the finest black ink your tax dollars can buy. Then we get:

Unlike the [REDACTED] process, the FBI, and not the NSA, would be the owning agency for the selectors it nominates, and would assume the primary obligation to review the content of incoming communications to ensure that the targeted account remains legally eligible for 702 collection and continues to produce foreign intelligence information.

This is followed by three paragraphs of black ink and then an admission that while the plan was supposed to start in early 2013, the FBI was so damn eager to get it started, that they'd actually begun in April 2012. Who knew the FBI were early adopters?

Either way, it seems clear that the FBI has had pretty broad access to this collection of data and the power to get selectors added on its own without much oversight or review. And, remember, it doesn't track how often it dips into this data. So, for all the talk of how carefully monitored the NSA's access is... who the hell knows what the FBI is doing with it?

Then, the government changed its mind, conceding that thousands of pages of evidence that should have been given to McDavid's defense attorney years ago – including love notes to a young woman who turned out to be an FBI plant – had instead been secretly held in an FBI file in Sacramento until recently. The best course of action, the government ultimately decided, was to set McDavid free.

"I've never heard or seen of anything like this," said U.S. District Judge Morrison C. England Jr., who originally sentenced McDavid. The judge ordered him released in accord with an unusual agreement between prosecutors and his appellate attorneys.

The judge demanded answers from the prosecution as to how this could have happened. From what's reported by the Sacramento Bee, it appears those answers -- like the previously-missing evidence -- were nowhere to be found.

"I sat through the 10-day trial of Mr. McDavid," a clearly exasperated England said, sometimes stopping to hold his head in his left hand.

"I know he's not necessarily a choirboy, but he doesn't deserve to go through this, either. It's not fair."

Officials from the US Attorney's office joined Assistant US Attorney Andre Espinosa, but the brain trust came up with nothing.

Espinosa and John Vincent, chief of the U.S. attorney's criminal division, said the documents had remained in the FBI's possession in a file in Sacramento.

Great answer. Even better, the government contends that even if it had managed to turn over the evidence in a timely fashion, it still probably could have secured a conviction. But actions speak louder than this attempt to wedge an undeserved last word in sideways. McDavid is a free man after pleading guilty to a single conspiracy charge. And even that's questionable. From what's been turned over, it appears McDavid was another one of the FBI's "homegrown terrorists."

Despite Thursday's guilty plea, his supporters say McDavid was never guilty of anything more serious than falling for a comely 18-year-old woman he met at an Iowa meeting in 2004, a woman who later prodded him to take violent action against government targets with promises that they would later consummate a romantic relationship.

The woman, named in court documents and at the trial only as "Anna," turned out to be an FBI informant and played a critical role in McDavid's arrest, as well as his release Thursday… Court documents spell out in detail how "Anna" provided money, transportation, housing and food to McDavid and his two co-defendants over an 18-month period, evidence his lawyers say shows the entire case was about entrapment rather than stopping terrorist attacks.

McDavid's lawyer got in his own last word, a bit more deserved than the US Attorney General's office.

"I hope she's not ruining someone else's innocent life."

Keep hope alive. This is has been the main component of the FBI's counterterrorism efforts: plots designed, built and put into motion by FBI informants and undercover agents, utilizing whatever weak-willed or weak-minded individuals they happen to talk into participating. Feeling any safer, America? Self-motivated terrorists roam free while the FBI plays dress-up with the easily-flattered and easily-duped.

The three targeted in this investigation were urged on by "Anna." None of them had previous convictions. The arrests followed the purchase of household chemicals, supposedly for bomb-making. This was the culmination of a two-year "investigation" during which "Anna" repeatedly pushed the three men towards bombing targets in the area. Much of what was presented to the jurors was personal testimony by Anna that could not be corroborated by video or audio recordings (Anna frequently wore a wire and many of the meetings took place in her cabin, which had surveillance cameras installed). So, the FBI presented plenty of hearsay while withholding thousands of pages of evidence. Our words against yours.

In the end, "our word" wasn't enough. McDavid -- more lovestruck fool than eco-terrorist -- is free and the world is no more dangerous than it would have been if he was incarcerated. Any bets that the FBI will be more forthcoming in the future? I'm guessing it won't. Why should it? All it lost here was someone it had groomed for arrest. It didn't lose a threat, or a public enemy. Win a few, lose a few. It will continue to play terrorist charades because it pays as much as real investigative work, but has a much higher chance of success.

from the will-it-happen? dept

In a surprising development, the New York Times reported late Friday that the FBI and Justice Department have recommended felony charges against ex-CIA director David Petraeus for leaking classified information to his former biographer and mistress Paula Broadwell. While the Times does not specify, the most likely law prosecutors would charge Petraeus under is the same as Edward Snowden and many other leakers: the 1917 Espionage Act.

It remains to be seen whether Petraeus will actually be indicted (given how high-ranking government officials so often escape punishment), and the decision now sits on Attorney General Eric Holder's desk. But this is a fascinating and important case for several reasons.

First, all of Petreaus's powerful D.C. friends and allies are about to be shocked to find out how seriously unjust the Espionage Act is—a fact that has been all too real for many low-level whistleblowers for years.

By all accounts, Petraeus's leak caused no damage to US national security. "So why is he being charged," his powerful friends will surely ask. Well, that does not matter under the Espionage Act. Even if your leak caused no national security damage at all, you can still be charged, and you can't argue otherwise as a defense at trial. If that sounds like it can't be true, ask former State Department official Stephen Kim, who is now serving a prison sentence for leaking to Fox News reporter James Rosen. The judge in his case ruled that prosecutors did not have to prove his leak harmed national security in order to be found guilty.

It doesn't matter what Petraeus's motive for leaking was either. While most felonies require mens rea (an intentional state of mind) for a crime to have occurred, under the Espionage Act this is not required. It doesn't matter that Petraeus is not an actual spy. It also doesn't matter if Petraeus leaked the information by accident, or whether he leaked it to better inform the public, or even whether he leaked it to stop a terrorist attack. It's still technically a crime, and his motive for leaking cannot be brought up at trial as a defense.

This may seem grossly unfair (and it is!), but remember, as prosecutors themselves apparently have been arguing in private about Petraeus's case: "lower-ranking officials had been prosecuted for far less." Under the Obama administration, more sources of reporters have been prosecuted under the Espionage Act than all other administrations combined, and many have been sentenced to jail for leaks that should have never risen to the level of a criminal indictment.

Ultimately, no one should be charged with espionage when they didn't commit espionage, but if prosecutors are going to use the heinous Espionage Act to charge leakers, they should at least do it fairly and across the board—no matter one's rank in the military or position in the government. So in one sense, this development is a welcome one.

For years, the Espionage Act prosecutions have only been for low-level officials, while the heads of federal agencies leak with impunity. For example, current CIA director John Brennan, former CIA director Leon Panetta, and former CIA general counsel John Rizzo are just three of many high-ranking government officials who have gotten off with little to no punishment despite the fact we know they've leaked information to the media that the government considers classified.

So hopefully Eric Holder does the right thing and indicts Petreaus like he has so many others with far fewer powerful connections. As Petraeus himself once said after CIA whistleblower John Kiriakou was convicted for leaking: "There are indeed consequences for those who believe they are above the laws."

But if Petraeus does get indicted, perhaps we should start a new campaign: "Save David Petreaus! Repeal the Espionage Act!"

from the the-warrant-that-wasn't-there dept

As Mike covered here earlier, Sens. Grassley and Leahy are asking the FBI for more answers on its Stingray usage. Not that anyone should be holding their breath in anticipation of a response. The government's use of Stingray devices has been actively hidden from the public (and criminal defendants) for years. Local law enforcement's use has also been hidden, thanks to a bizarre set of non-disclosure agreements, both with the manufacturer (Harris) and the FBI itself.

So, while we wait for the heavily-redacted responses to the senators' queries to eventually arrive at an undetermined point in the far future, let's take a closer look at what the FBI has actually gone on record with about its Stingray use.

The good news (that actually isn't) is this: the FBI now has a warrant requirement for Stingray deployment. But there are (of course) exceptions.

[W]e understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

A Stingray device is rarely deployed from the comfort of the suspect's living room. In fact, it's safe to say this never happens. What does happen is that Stingrays are deployed from vehicles on public streets or flown overhead in aircraft. It would probably be safe to say that there has not been a Stingray deployment that didn't occur in a public place.

So, there's really no need to ever seek a warrant. The FBI can point proudly to its new warrant requirement as evidence of its respect for privacy, just as long as no one asks if there are any exceptions. Grassley and Leahy, however, have asked. And they have mastered the art of the understatement. They continue:

We have concerns about the scope of the exceptions.

The rule is demolished by the exception. There is no rule. There is no need for the FBI to ever seek a warrant for Stingray usage. If some weird situation does manage to crop up, it will probably involve some other exception (including ones that aren't listed here), and we're back to square one.

If and when the answers arrive, the numbers following these questions will be highly illuminating.

2. From January 1, 2010, to the effective date of the FBI’s new policy: a. How many times did the FBI use a cell-site simulator? b. In how many of these instances was the use of a cell-site simulator authorized by a search warrant? c. In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process? Please identify the legal process used. d. In how many of these instances was the cell-site simulator used without any legal process? e. In how many of the instances referenced in Question 2(d) did the FBI use a cell-site simulator in a public place or other location in which the FBI deemed there is no reasonable expectation of privacy?

Given the scope of the "public place" exception, the answers to (d) and (e) should be nearly identical. All that remains to be seen is how close those numbers are to 2(a).

from the dangerous-ideas dept

It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.

A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.

The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it's a bad idea not just because it likely breaks the law, but because it's stupid and dangerous. First, accurately determining who is behind a hack is quite difficult -- as we're seeing lately with all the recent skepticism about the FBI's claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences -- even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.

On top of that, the article notes, the hack back attempt could make the situation even worse:

Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren’t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.

And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.

Finally, think through the obvious consequences of this. If you're a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm -- then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.

Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through -- and lawmakers prevent it from being protected by law.

from the still-pretty-sure dept

After the FBI formally named North Korea as being behind the Sony Hack, a lot of people in the cybersecurity community explained why they didn't find the evidence at all compelling. There was pretty widespread disbelief in the story -- though most admitted that it was possible that the FBI had additional evidence it wasn't sharing. In the past few days, a lot of attention has been paid to a theory coming out of Norse Security, that the attack really came from a group of people (not associated with North Korea) including, in particular, a disgruntled ex-Sony employee. On Monday, the FBI met with Norse to hear what the company had to say, but apparently came away unconvinced. The FBI continues to stand by its assertion that North Korea did it.

Asked about the meeting and criticism on Monday, the FBI declined to comment beyond a prepared statement that they are confident the North Koreans are behind the crippling Thanksgiving attack and there is “no credible information” to suggest otherwise.

Tuesday, a U.S. official familiar with the matter said after the three-hour meeting, law enforcement concluded that the company’s analysis “did not improve the knowledge of the investigation.”

Ouch. Once again, it is entirely possible that the FBI has access to even more information that it has not shared. However, it does seem rather clear at this point that the evidence it has shared publicly is just as unconvincing to cybersecurity experts as the information those security experts have shared is unconvincing to the FBI.

from the oversight! dept

We've talked quite a bit about National Security Letters (NSLs) and how the FBI/DOJ regularly abused them to get just about any information the government wanted with no oversight. As a form of an administrative subpoena -- with a built in gag-order -- NSLs are a great tool for the government to abuse the 4th Amendment. Recipients can't talk about them, and no court has to review/approve them. Yet they certainly look scary to most recipients who don't dare fight an NSL. That's part of the reason why at least one court found them unconstitutional.

At the same time, we've also been talking plenty about Section 215 of the PATRIOT Act, which allows the DOJ/FBI (often working for the NSA) to go to the FISA Court and get rubberstamped court orders demanding certain "business records." As Ed Snowden revealed, these records requests can be as broad as basically "all details on all calls." But, since the FISA Court reviewed it, people insist it's legal. And, of course, the FISA Court has the reputation as a rubberstamp for a reason -- it almost never turns down a request.

However, in the rare instances where it does, apparently, the DOJ doesn't really care, knowing that it can just issue an NSL instead and get the same information. At least that appears to be what the DOJ quietly admitted to doing in a now
declassified Inspector General's report from 2008. EFF lawyer Nate Cardozo was going through and spotted this troubling bit:

If you can't read it, it says:

We considered the Section 215 request for [REDACTED] discussed earlier in this report at pages 33 to 34 to be a noteworthy item. In this case, the FISA Court had twice declined to approve a Section 215 application based on First Amendment Concerns. However, the FBI subsequently issued NSLs for information [REDACTED] even though the statute authorizing the NSLs contained the same First Amendment restriction as Section 215 and the ECs authorizing the NSLs relied on the same facts contained in the Section 215 applicants...

In other words, the FBI had a neat way to get around a rare FISA Court rejection: just issue an NSL and ignore the First Amendment concerns.

Apparently, to some, whatever weak "oversight" there is from the FISA Court really just means "find another door in to violate the same Constitutional issues."